For the webslides for a presentation to the Safety Critical Systems Symposium
2002, click here.

The figure below is a charicature of the present approach to safety assurance,
where the high-level metric is the quantity of documentation produced (e.g.
PCSR's, POSR's). The examination of other possible metrics leads to the proposals
that follow.

The paper addresses the question of what information can be used through life,
but particularly during design development, to provide assurance of safety.
The proposition is that there is a temporal and logical dependency between the
metrics shown on the manager's wallchart. Culture brings about processes which
bring about product characteristics which lead to acheived performance.

It is proposed that culture metrics are best kept informal to prevent them
becoming political. At a working level, culture change is likely to be the subject
of initiatives rather than metrics.

Process metrics can be used in a formal context, and provide the indicator
with the greatest lead.

The problem with estimated performance is that it provides little comfort early
in the lifecycle, because of the inevitable uncertainties associated with early
Fault Tree Analysis, as shown below. Even adding confidence limits to event
probability estimates is unlikely to provide the level of assurance necessary,
and may even backfire.

Localised Process Improvement (PI) or Continuous Improvement (CI) metrics related
to process capability (levels 1 to 5) can be used at a team level. The designer's
aide memoire to provide day to day support to safe design is likely to
be a manageable set of design principles.